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(54) Tltie: COMPUTCR SOFTWARE AUTHENTICATION. PROTECTION, AND SECURITY SYSTEM 

(57) Abstract 

A software-based computer security enhancing 
process and graphical software-authenticity method, 
and a method to apply aspects of the two arc dis- 
closed. The process provides protection against cer- 
tain attacks on executable software by persons or other 
software used on the computer. Software using diis 
process is protected against eavesdropping (the mon- 
itoring of software, applications, the operating sys- 
tem, disks, keyboard, or other devices to record (steal) 
identification, authentication or sensitive data such as 
passwords, User-ID's. credit-card number and expiry 
dates, bank account and PIN numbers, smart-card data, 
biometric information (for example: the data compris- 
ing a retina or fingerprint scan), or encryption keys), 
local and remote tampering (altering software to re- 
move, disable, or compromise security features of 
the altered software) examination (viewing the exe- 
cutable program, usually with the intent of devising 
security attacks upon it), tracing (observing the op- 
crating of an executable program step-by-stcp), and 
spoofing (substituting counterfeit software to emulate 
the interface of authentic software in order to sub- 
vert security) by rogues (e,g.: Trojan Horses, Hack- 
ers. Viruses, Teiminate-and-stay-resident programs, 
co-resident software, multi-threaded operating system 
processes, Worms, Spoof programs, key-press pass- 
word capnjres, macro recorders, sniffers, and other 
software or subversions). Aspects include executable 
encryption, obfuscation, anti-tracing, anti-tamper and 
self-verification, runtime self-monitoring, and audiovisual authentication (math, encryption, and graphics based method permitting users to 
immediately recognise the authenticity and integrity of software). The figure in the specification depicts the many components and their 
mtemaion. 
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Computer Software Authentication, Protection, And Security System 

Background Of The Invention 

5 The preset invention relates to a computer program having CThanced security features, and 

also to a system and method for enhancing Ae security features of a cotapvi^ program. In particular, 
the present invention relates to such a program, and the system and mrfhod for creating the program, 
having increased security features to prevent ID-Data (as defined hereafter) eavesdropping and/or theft 
and/or to ensure authenticity. 

10 

Description Of The Prior Art 

Computers are becoming widely interconnected and heavily relied upon to process and store 
sensitive information. Tlie risk of unaudiorised access to computers and information has increased 
widi this increased interconnectivity. 

15 Many security advances exist in the areas of identification & authentication of users, 

cryptography, virus prevwiticm. and the like, however - almost ail of these advances ultimately rely 
upon computer software. Most computer systems are, or are accessed by, small persOTal computers, 
and most software used aa these personal computers is susceptible to "local attacks" - attacks v*ich 
are mounted from inside said personal conq)uters against said software by other sofbware or peq>le. 

20 Passwords, User-ID's, credit-card numbers and expiry dates, bank account and PIN numbers, 

smart-card data, biometric informatics (for example: the data comprising a retina or fingerprint scan), 
cryptographic keys, and the like are all examples of identificaticm, authenticaticHi or similar data vtoch 
is either sensitive in itself or may allow access to sensitive, restricted or odier information or services. 
Hereafter, the term ID-Data will be used to refer to the abovementicned identification, audientication 

25 or similar data, excluding ID-Data which is valid only for a single use, or vMct is designed to expire 
at regular intervals of less than two minutes. 

Illegal access to con^)uter system informatim can be obtained by exploiting various security 
flaws found in computer sofiware products. A common flaw is the susceptibility of said software to 
the dieft of ID-Data either directly fiom said software as it executes, or fi-om the operating system or 
30 hardware on which said software is executing. Anodier common flaw is the susceptibility of said 

sofbware to iU^ modification. Such modifications may remove, disable, or compromise die security 
features of said software. 

Viruses, Terminate-and-slay-resident programs (TSRs), co-resident software, multi-threaded 
operating system processes, Trojan Horses, Worms, Hackers, Spoof programs, key-press password 
35 capturers, macro-recorders, snifiers, and the like can be effective at stealing ID-Data and are 

exanq)les of (a) rogue software or (b) people capable of subverting security software or (c) software 
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w^chcanbecoofiguiedforiUegitimatepui^ Hereafter, the term rogue software moU be used to 
refer to software or subversions such as the abovementiaoed (a) (b) and (c), used for the purpose of 
stealing ID-Data. The definiticHi of our tenn "rogue software" when used herein also includes 
software or other means used to tamper widi other software. The term tanq>ering is defined hereafter. 

5 There are many ways to introduce rogue software into a computer system. Viruses spread 

automatically by introdudngftiemsdves. Trojan^iorses are usually introduced by tricking users into 
allowiog than to execute (such as by masquerading as a new or well-known cooqiut^ game or dfaer 
product). Existingsecurityproblemsmay be utilised to introduce rogue software; some weU 
problems include Java bugs, errors, or oversi^, ineffective physical security (for exanq>le: 

10 pmnitting rogue software to be introduced directly en floppy disk by an intruder), ele^ronic mail 
attadunents vAddi automatically execute or execute after a simple mouse-chck, incorrect security 
settings on internet, world-mde^eb, TCP/IP or modems, and tampering (see definition hereafter) with 
legitimate software in-transit as it flows fiom remote internet sites into a users computer, to name a 

fiBW. 



IS Rogue software, once introduced, can steal ID*Data as mentioned hereinbefi»re. It may monitor 

keyboard (for example: by recording every key, as ftie user presses each one, in order to steal a 
password as it is being typed in), serial«poit, mouse, screen, or otfier devices to steal ID-Data directly 
fi<mi Aem. It may monitor odier software, applications, the operating system, or disks to steal ID- 
Data from there also. Once stolen, this ID-Data may be stored locally (for example: in memory or 

20 disk) or transmitted to remote locations (for exanq>le: by modem or network) or used immediately to 
perform illegal (derations. Hereafter, the term eavesdropping will be used to refer to the mcmitoring 
of a conq)uter to record ID-Data. 

For example, a key press recorder couU secretly, and unbeknown to the computer user, record 
all the keys pressed by the user into a hidden systems file. The information recorded could include a 
25 user's password and other sensitive information whidi an organisation would obviously widi to 
protect. 

AdditicHially, rogue software may remove, disable, or coii^)roinise existing conq>uter software 
security features by modifying the Tn0nfK)ry, disk, or other iiiiage of said con^ Rogue 
software may also utilise tanq)ering techniques to alter existing computer software in order to steal ID- 
30 Data fma it, or may attach itself to existing ccxnputer software (as is the case with many computer 
viruses). Hereafter, the term tampering will be used to refer to the abovonentioned modificaticn of 
computer software. Tanq>ering may take pbce either locaUy(widiin a users PC) or remctely (for 
example: at one of tiie points which a computer program passes throi# as it is being download). 

Further, counterfeit software can be substituted for legitimate software. The counterfeit vrH\ 
3S appear real to a OHUputer user, but actually acts to subvert security, such as by stealing ID-Data. 
Sometimes called "SpooT programs or Trojan Horses, counterfeit software of this type may invoke 
ftie original legitimate software after having stolen IIM>ata, so as not to arouse a users suspicion. 



Anodier potential security flaw found in conq)uter software products is susceptibility to 
examination and reverse-engineering. Known (but generally secret) and odier security problems or 
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mistakes can be discovered by hackers and the like ft^ 
software and by tracing its cpeiation. 

AdditionaUy, Computer software piracy is a growing problem, and the existing simple means 
which prevBBt this problem (such as registration or serial numbers and customer-names being encoded 
S within the product) are becoming less effiKtive. 

Ihei© is necessity within the try-befere-you-buy software market for vendors to emptoy 
effective features which allow old software to expire without fear of hackers or the like removing said 
expiry features and for secure registration of software to be provided through the use of software 

unlodc<odes. 

10 Tbere is also need for software to be able to prevert security attacks upon itself (ie: tampering) 

and upon its own attack-detection code. There may also be a future need for software to identify the 
attacker for subsequent prosecution. 

There also exists cases where untan^erable software usage metering may be desinble. and 
lAere efifective passwardi>iotectk» of software execution may also be desiiable. 

15 Knovm advances in certain areas ofcomputer security have been successfiil and documented. 

There have been some advances in anti-virus technotogy v»hich help detect and prevent certain security 
problems. There have been numerous advances in hardware-assisted computer security add-ons and 
devices, such as smartcaids and bianetric input devices. TTiere have been advances in cryptographic 
techniques. Generally, all of these advances require authentic, un4ampered-with computer software in 

20 order to work. Tbere have been relatively few advances in software-based integrity self-checking (eg: 
tamper protection), and no prior software-based advances in preventing eavesdropping or the 
electronic theft of ID-Data, and no prior software-based advances in sdf-audientication. 



^TTK^^pv Of the ItJVEmiON 
25 This invention describes a process whiA substantially enhances the security of computer 

software (hereafter referred to as the improved process) and a mediod by which to apply said 
inqnoved process (hereafter referred to as die appKcalor). 

The improved process consists of including computer code to automatically detect tan^wring of 
said computer software, and computer code to prevent the theft of ID-Data by replacing existing 
30 vutaerable (to rogue software eavesdropping or attack) software or operating system code vrifli secure 
equivalents which utilise anti-spy techniques (as described later in diis document). 

Preferably, the in^roved process also consists of including conq)uter code to prevent de- 
compilation, reverse-engineering, and disassembly by the inclusion of oWuscating code inserts, and the 
use of executable encryption. 



35 piefferably, the ini>rovBd process also consists of inchiding code to prevert executi« 



t. 
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and debugging by the use of code designed to detect and prevent these operations. 

Preferably, the istiproved process consists of, or also includes, human-recognisable audio-visual 
componoits which permit the authenticity of said computer software to be easily verified by the user 
on eadi invocation using techniques described later in this docmneat. 

The idea which lead to the creation of this inventicm can be summarised as fellows:- If a piece 
of computer software Aat is executing can be shown to be the gaiuine article, and this software can 
protect itself against eavesdrqjping, and tiiis software can prevent tampering of itself, thei is it 
possible for tins software to function in a secure manner, evm wifliin an insecure operating system 
This inveotioQ permits the creation of sudi a piece of conq)uter software - having a tangible, usefiil 
security advants^ and hence improving its value. 

Brief Descriptiqn Of The Drawings 

Fig. 1 illustrates the standard operation of a computer system known in the prior art; 
Fig.2 illustrates the known operation of a rogue or ''spooT program; 
Fig.3 illustrates appUcation code qniated widi tiie preferred embodiment; 
Fig.4 illustrates tfie known operation of a rogue eavesdropping program; 
Fig.S illustrates the interaction of the components of the updated application; 
Fig.6 iUustrates the geieral structure of the preferred embodimait of the appUcator; 
Fig.7 illustrates a standard layout for a program to be executed on a computer system; 
Fig.8 illustrates the standard layout of an EXE header under the MS-DOS operating system. 
Fig.9 illustrates a standard layout of an EXE program under MS-DOS; 

Fig. 1 0 illustrates an altered executable fi>rm constructed in accordance widi the specific embodiment; 

Fig.ll illustrates a first stage of execution ofthenew.exe executable; 

Fig. 12 illustrates a second stage of execution of the new.exe executable file; 

Fig.l3 illustrates a third stage of execution of the new.exe executable file. 

nPT An F D DESCRIPTiaN OF PREFERRED EMBODIMENTS 

As will be described hereinafter, the present inventicxi has general apphcability to many 
different <?)erating systems including Microsoft DOS (Trade Mark), ^ple Macintosh Operating 
System, Unix (Trade Marie) etc. 

Described hereafter arc several security-enhancing techniques to cOTibat eavesdropping. 
Security is provided by (a) hampering examinatim of softwareKxxk or operating system code or parts 
Aereof through the use of the encryptim or partial encrypticm of said code, (b) preventing the 
disassonbly of said code through the inclusion of dummy instructions and prefixes and additional code 
to mislead and hamper disassembly (ie: obfiiscating inserts), (c) preventing the computerised tracing of 
the execiAion of said code (ft)r exanq)le: wifli code debugging tools) through the use of instructions to 
detect, mislead, and hamper tracing, (d) prevaiting tampering of said code throu^ the use of scanning 
to locate alterations, either or both on-disk and in memory either once at the start of executiwi, or 
continuously upon certain events, or (e) preventing ID-Data theft through the inclusi<m of secure 
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i^ut/output rootiaes (for exanvle: lootinestol,^ 

s«tem routines. Hereafter, the term MtiHry will be used to refer to any combinati««rf^^^ 
rfd^abov^mentionedtedmiipesKa)!^ 

5 RefeningnowtoFig.lthereisilh«tnrtedthestandardscenari 

executable progoun 16. under the oontrd of a computer oper-ing system 17 ^^"^^^ 

pwfeimlembodimettofthe present invention, the execuiablepiog^ 

as wiU be described hereinafter, to ensure its integrity and improve its security 

Theie are five aspects of this inventions improved process, although said process is still 
10 substantially improved even ifnot an ofthemarepresent. These aspeds are. (l)Pfeve^ 

eavesdropping (2) preventing disassembly and examination (3) detecting tampering (4) prevertmg 

execution^cing and (5) ensuring authenticity. 

The preferred embodimait of these aspects of the present invtntioo will now be described. 

^i pi ^ 1. Fre v ei t fiwT aawdnmiiiag. 

1 5 As hereinbefore described, it is desirable to prev«t logue software ftom eavesdropping on ID- 

Data Byreplacingsoftwarewhichisvutaerebletoeavesdroppingwithetpiivalertsoft^ 
&r more secure, this purpose is achieved. To remove the vutoerebUity ftom said equivalent software, 
npbcemnt routines may communicate directly with the hardware of the computer (for example, they 
may commmucate with the keyboard drcuitiy instead of using the system^upphed (and hence 

20 possiblyinsecure)appUcationinterfecekeyboard-entryfimction<alk.)whiledi^^ 

faterruptswhichwouldpenmtroguesoftwaretoeavesdrop. Said replacement routines are coded to 
store ID-Data retrieved in a secure manner. ©-Data is not stored in fiiU in plaintext («: unencrypted) 
in systm or application bu£to. 

A.p ^ 2 Prever*^T ^"V ■'"fr^ lamination. 

25 As hereinbefore described, it is desirable to hamper disassembly (or de^ilation or reverse 

ngineeriog) toprotect software against eavesdropping and tampering, and to hinder exammatioo of 
said software which mij^ lead to secret security problems or mistakes being disclosed. 

Obfuscating inserts can sucoessMy prev«t automatic disassembly. Obfiiscatioo is adiieved 
by following unconditional jump instructions (for example. Intel IMP or CLOJNC combination or 
30 CAlX(widK»rtareturnexpectod)oranyflow-of<ontrolaheringinstructi« 

return to the usual place) with one or more dummy opcode bytes which will cause subsequent op- 
codes to be erroneously disassembled (for example, the tatd OxEA prefix will cause disassembly of 
the subsequent 4 op-codes to be incorrect, displaying them as the o&et to the JMP mstruction 
indicated by the OxEA prefix instead of the instructions they artuaUy represent). 

35 Dummy instructions may also be inchKled to hamper disassembly by deUbeiately misleading a 

disassen^ler into beUeving a particular flow of control wiU occur, when m 
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Flow of control can be designed to occur based upon CPU flag values determined ftom 
mstnictkasexeeutedalongtiineago. Togedier with tracing prevertioa. this makes manual 



Tlie tnajority of the eMcutable portions of the software can 
Tlie decryption taking place in.«emory after the software is loadrf 

control of a dBCiyptian'1ieader"whidi prevents its own tampering Ibis makes 

mamial and automatic disassembly nearly impossible, since the decryption should be designed to fail if 
tampering ortradng is delected. 

Ashereinbefere described, it is desirable to detect tampering, since this may lead to the 
reduction of software security. 

Hiis can be achieved widi the use of code which is protected ftom disassembly and examination 
through obfiBcation and encryption, which re-reads its own external-image and compares it widi its 
haom memory image or precalculated check-data to detect hoti)atching (ie: the modification of 
software sometime after it has been toaded ftom disk, but (usuaUy) before execution of the modified 
section has commenced). 

Additionally, die software can scan the monory image of itsdf one or more times, or 
continuously, to ensure tfiat unexpected aberations do not occur . 

Certain modifications to the external copy of softv»are are reflected in subtle changes to the 
20 enviioiment in whidi the modified software wUl be executed (ft>r example: the size of the code, if 
altered, wUl be reflected in Ae initial code-size value sapp^ to die executing program being 
incorrect.). AdditionaUy, certain modificatico to die operating system and environment of said 
software can also be monitored (for example: certain interrupt vector table pointers in Intel-processor 
applications) to detect unexpected changes by n»gue software. Hiese changes can also be detected to 
25 prevent tampering. 

Once tampering is detected, program flow-of-control needs to be changed so that die potential 
compromise associated wifli ID-Data theft is avoided. Hiis may be the security-enhanced program 
terminating wifli a message indicating diat its integrity has been compromised before aU of the ID- 
Data is entered. Mtematively. die feet tiiat tampering has been detected may be kept secret and die 

30 ID-Data retrieved, however, immediately upon retrieval, die ID-Data entered can be invalidated dius 
preventing access to diat which die now potentiaUy compromised ID-Data would have odieiwise 
aUowed. Hiis latter mediod allows ftir die possibility of security-enhanced softvrare infomiing remote 
or odier aufliorities diat tampering was detected and possibly odier information, such as what 
specificaUy was altered and by whom. Care must be taken to ensure die integrity of die "remote- 

35 inftmning" code before ID-Data entry is pennitted. 

h wiU be apparait to one skiUed in die art of low-level softvware programming diat die five 
aspects described herein may be combined to provide substantially stranger security dum any aspect 



wo 97/04394 PCT/AU96/00440 

taken on its own. For instance, to combine tamper-detection with encryption, Ike piecalculated cliedc- 
data as (terived during tamper-detection described hereinbefore may actually be one part of the 
decryption-key ^cfa is required to successfully deciypt the rmuiining executable software. If 
pieventioD-of^iacing and environment dbaracteristics (including debugger (tetection as described 
S hereafter) are additional poitions of said decryption-key, it makes Ae determination of said 
decryption-4cey by any person or ooo^uterpnjgi^ cdier than tfa^ secure original an extremely 
difficult, if not inq)ossible, task. 

Further, it will also be apparent to one skilled in the art of low-level software programming that 
a single construct such as a JNE to alter program flow-of<cntrol after tan^ering has been detected is 
10 insufficient, since the JNE constmct itself is subject to tamparing. The denryption process described 
hereinbefore is preferable since there is no single point of alteration that can possibly yield a tanqiered 
executable that would execute. Indeed, the executable protected with enciyptioD will not even be 
transformed into its intended form if tanqiering is detected. 

Aspect 4 Preventing exccution-tradng. 

1 S Apart from ''spoofing'* (described in aspect 5 hereafter) the last resort of a rpgoe who is 

prevented from disassembly, tan^ering, and eavesdropping on software is to trace the ^cecution of 
said software in order to fticilitate the compromise of its security. Hanq>mng tracing (tracing is 
sometimes called debugging) prevents this. 

There are numerous methods of detecting a debug-environment (ie: vhea tracing is taking 
20 place). When combined widi decryption and tamper-protection as hereinbefore described, it mak^ 
rogues task of detecting and bypassing debug-detecticn extrmely difficuk. Reference and examples 
to Intel and MS-DOS environments follow hereafter, althougb it will be apparent to one skilled in the 
art that these and similar mediods are appUcable on odier platforms. 

Standard fatel x86 interriq^ 1 and 3 are used by debuggers to ftidUtate code trad^ By 
25 utilising these intemq>ts (which are not normally used by normal applications) in security-enhanced 
software, it hampers debugging, since built-in debi^ging fimctions are now not automatically 
available. 

Monitoring die systm timer to determine if software execution has spent too long 
accomplishing certain tasks can detect a situation where code tracing has been in effect and a 
30 brealq>oint was readied. 

Disabling the keyboard will hamper debuggers, since tracing instructions are usually issued 
from the keyboard. Similariy, disabling odier places from ^ere tracing instructions are usuaUy 
issued (eg: serial ports, printer ports, and mouse) or displayed (eg: screen) will also hamper tracing. 



System interrupts can be re-vectored for use widiin the secure software to perform tasks not 
35 usually performed by those intemqits. Debuggers usually rely up<xi system interrupts also, so to do 
this would usuaUy disable or destroy a debugger being used to trace die software. 
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Disabling tntemipts and perfoiming tinuog-seositive instructioas between them Will further 
hanq>er drugging. When tracing software, instnicdons are usually 

for the user to understand tbeir operatioa. Many system intemqrts must occur regularly (eg: timer and 
memcHyre-fieshopeiatioDs), so debuggers usually do not disable interrupts even ^en they encounter 
S an intenupt-disabling instructioD. Iftirners and die Uke are re-vectored in two separate dages, any 
timer (etc) interrupt occurring inbetween 4e two stages will fiul, and usually era* the con^niter. 
Fuither, intemqits can be disabled or enabled using obscure means (with flag^abering instructions for 
example) to hamper tracing. 

Discretely testing the status of disabled or enabled system focilities (eg: intemq)ts, k^ixiard, 
1 0 vBctOT-pointers) to ensure that a debug-environment has not altered or by-passed them will serious ly 
hamper tradog also. 

Certain conq)uter processors have instruction cadies. In some circumstances, it is possible to 
alter the instructions immediately before die CPU encounters them, but die altered instruction will not 
be executed n<»mally because the cache cqpy has die "old*" one still. In debug environments, the cache 
IS is usually ftished, so any altered instructions vviUactualfy This again han4)ers tracing. 

Using strong cryptographic sdiemes, such as DES, or RSA or the like will prevent the 
examination of any decryption routines fiom revealing a simple patch to disable said routines. 



20 



When tracing software, the program stack is usually used by the debugger either during the 
tracing operations or at other times. This is easily detected, and by using the area ofdie stack which 
will be d^troyed by uneiqiected stack-use for code or critical data, software can be cksigned to self- 
destruct in this situation. 



Scanning the command environment and die execution instruction can detect the execution of 
software by unusual means. Searching for '"DEBlKj'' in the cominand line, or scanning mmory for 
known d^uggers for exanqjle will detect tracing. Additionally, by detecting vrfiidi operating system 
25 process initiated the load of die software, une3q)ected processes (eg: ddniggers) can be detected. 

Monitoring system buffers (eg: the keyboard memory buffer) or hardware (eg : the keyboard 
circuity and internal bufifisrs) for mexpeOsd use (eg: keyboard inpjst and processing is occurring v^en 
die sofi^vare is not requesting it) wiU also detect debuggers, which usually rely in part on system 
functions in order to operate. 

30 Building a process or multiple processes which are traditionally difficult to trace, such as a 

resident or child process vMdb executes during system interrupts or after tiie parent process has 
terminated will again hamper tracing. 

Bypassing system routines (^5: in DOS, using direct memory writes instead of DOS system 
calls to revector interrupts) will further han^ debugging and rogue software monitoring, as will 
35 unravelling loop constructs (whidi will make tracing long and cumbers(mie). 



Code diecksums and operating-system diecks (eg: interrupt table pointers) can be designed to 
detect debug-breaiqioint instruction inserts or odier modifications. Using die resuh of die checksum 
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for some obscure puipose (eg; decryption, or (much later) control-flow dbanges) will further hamper 
tracing. 

It will be apparent to one skilled in the art of low-level software programming that a 
combination of techniques to detect, prevent, and mislead tracing will provide a mechanism making 
5 tracing very difficult, if not impossible. At the very least, it will require an expeitwidi very expenswe 
tools and periuq>s some understanding of the original software design a very long time to make any 
debugging progress - a situation \riiich is recognised in militaty software security accreditation 
worldwide as hi^y desirable. 

Aspect S Ensuring authenticitv^ 

10 In accordance with an aspect of the present invention there is provided a method of providing 

for a secure entry of ID-Data in a computer system comprising activating a visual display or 
animation and/or audio feedback (hereinafter called an audio/visual component) as pait of said 
secure entry of ID-Data so as to hamper emulation of said secure entry process. 

Preferably, tfie animation inchxdes feedback portions as part of the ID-Data entry process. 

1 S Prefeably, the animation is repeatable and varied in accordance with tiie information entered. 

The animation preferably conyrises 2.SD or 3D animation and inchides animation of any ID-Data 

Preferably, the animation is designed to tax die computer resources utilised and thereby making 
any forgery tiiereof more difficult. 

20 Nctwidistanding any odier forms whidi may fell within the scope of die presem invention, 

preferred forms of the invention will now be described, byway of exanaple only, with reference to the 
accompanying drawings . 

fai die preferred embodiment of the present invention die user interfece fofr the acqmring of ID- 
Data is secured whereby the dupUcation of die interfece is rendered mathematically con^lex such that 
25 cipher-code breaking tedmiques are required to produce a counterfeit look-alike interfece. By making 
die authentication interfece (ie: ID-Data entry screen - for exanqile: a logon screen or a screea for 
entering credit card details) unable to be emulated, tampered widi, or reversed engineered, the 
iqyplication program allows for a hi^er d^ree of security and audienticity even in insecure 
environments such as die Intemet or home software applications. 

30 Referring now to Fig.2, there is illustrated a classic form of rogue attack on a computer 

system, hi this form of rogue attack, a rpgue^s ''spoof program 22 is inserted between applicadcm 
software 16 and the user 23. The application 16 normally has a portion 24 devoted to ID-Data entry 
and verification or the entry of oommerdaily sensitive mfimnation (inchiding passwords etc) to the 
appUcation in addition to the qyplicaricn code 25. The spoof program 22 is designed to exactly reflect 

35 the presented user interfece of ID-Data entry code 24 to the user. The user 23 is dien fi>oled into 
udUsing the masquerading spoof program 22 as if it was the application 16. Hence the user can be 
tricked into divulging secret information to the q)oof program 22. An exanq>le may inchide a classic 
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**lOgin spoor iwfaereinlfae qxxyf piogram 22 prints the login prompt (ie: ID-Data entry) message on die 
screen and the user mistakes tiie login pronqn for a legitimate one» supplying a user name and 
password to tiiis program 22 ^ch records this information as weU as passing it on to the login code 
24 of q;>pIication 16 so as not to arouse the suspicion of user 23 - or by issuing a message, sudb as 
S "incorrect password, please try again" and then passing control to the login code 24 of a|q}Iication 16. 

Referring now to Fig.4, there is iUustxatad a relatively new form llusfonn 
of attadcpniceedssinularity to the spoof attack of Fig.2,widi the foUon?^ hsteadofa 
spoof program 22, a rogue program 41 is inserted which secretly eavesdrops on ID-Data entry code 
24, or on appUcation code 25, or (m operating system 17, or on hardware 18 or elsewhere in order to 
10 steal sensiriveinfonnation directly firom the legitimate qppUcation. Since die legitimate qjpUcation is 
still actually executing, Ae users suspicion is not aroused, since rogue program 4 1 is generally 
invisible to die user 23 . Akemativdy, executable program 16 may have been tampered widi (as 
hereinbefore described) to reduce its security, alleviating the necessity for die presence of rogue 
program 41. 

IS b Fig.S, there is iUustrated in detail the strocture of an application SO coostructed in 

aoooidaaoewidi the preferred embodiment nnmmg on con^ut^hardw Fig.5issmiilarto 
Fig.4 widi the impoitant difference that user 23 now communicates directly widi secure drivers S 1 
which are part of the secure ID-Data entry program code 31 which is utilised by die security*enhanced 
(eg: XBWper protected) applicaticm code 52. It can be seen that the user 23 no longer onnmunicates 

20 widi the operating system 17 or die unprotected con^uter hardware 18, thus die rogue program 41 
can no longer eavesdrop on ID-Data. 

In Fig3, diere is illustrated, in more general terms than Fig.S, die structure of an application 30 
constnicted in accordance with die preferred embodiment wh^ein secure ID-Data entry program code 
3 1 is provided which is extremely difficuh to rq>Iicate, eavesdrop upon or subvert. The secured ID- 
25 Data entry program code 31 can be created, utilising a number of different techniques. 

Firstly, the executable portion of the secured ID-Data entry code can be protected against 
tracing, disassembly, tampemg, viewing, reverse engineering, keyboard entry theft, eavesdropping, 
hot patdung and other attacks by transforming die secured ID-Data entry program code 31 firom its 
normal executable form 16 (Fig.2) to a correqxmding secured form of executable (as hereinbefore 
30 desoibed - refer aq)ects 1 to 4). These techniques are preferably appUed to the apphcation code 16 in 
general or less preferably specifically limited to the ID-Data entry portions 24 thereof 

Additionally, die secure ID-Data entry program code 31 is itself created. HiiscodeSI 
preferably ccxiq>rises a complex gnphical user interfece series of screens and animaticHi designed to 
make dupUcatian by a rogue thereof extremely difficult. 

35 biitiaUy, the complex user interfece should include fecilities to disable any frame bufier 

recording devices, the disablement occurring before each fiame is displayed. Also, where a muhi- 
taskiog operating syston is in use, or where context switching is enabled, switching out of the 
interfece screen is preferably disabled or ID-Data entry procedures encrypted or terminated when the 
interfece screen is swapped out. The images presented which form part of the ID-Data entry screens 
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coRq)rise c(»iq)lex 3D animatioo sequences having a hig^ degree of cofiq>lexity and extensive use of 
screen colours and screen resolution in addition to visual design so as to make copying tfiereof 
extremely difficult. 

Hie conq>lex computer graphics can be created utilising standard tedmiques. For information 
5 on how to create oonylex 3D imagery, reference is made to "Computer Grq)liics, Principles and 
Practice" by Foley, Van Dam et al publidied 1990 by Addison-Wesley Publishing Company or odia* 
standard textbooks on generation of coRq)uter graphics. Reference is also made to the numerous 
internet news groups and ardiives cm graphics and games programming, specifically to: 
c(»iq).graphics.research, conq).gnq)hics.raidering, con:9).graphics.raytracing, comp.gr^hics.misc, 

10 comp.graphics.digest, comp.graphics.animation, con^.graphics algontfams, comp.grsqihics, 
att.gnq^hics.pixutils, ah.graphics, rec.games.programmer, comp.sys.programmer, 
conq).sys.ibm.prograinmer, cmqi.sys.ibm.pc.programmer, conq).os.msdos.programmer, 
a»iq).msdos.programmer, alt.msdos.prQgTammer. Reference is also made to **PC Games 
Programmers Frequently Asked Questions'* document available on the internet, via 

1 5 rec.games.progranuner and elsewhere. 

By encoding a con^lex 3D image ^cfa forms part of the ID-Data entry screens, the hurdle 
requwememofa rogue to reverse engineer the complex imagery is substantu Hie 
inclusion of graphical animation is advantageous in preventing static screen shot diq>lication attacks 
by a rogue form succeeding. 

20 As noted above, it is preferable that traditionally difficult graphical programming tedmiques are 

employed wherever possible, vndi the aim of making it more detectable for a user interacting voth the 
syston to discern lesser copies of the animation. Suitable 3D animation can include the introduction 
of diadows, tiie lighting of pseudo-3D animated objects, tranq>arent or translucent objects, shiny, 
reflective, or mirrored objects, gravitational effects in animated objects, single-image-random-dot- 

25 stereogram bitmaps or backdrops, translucent threads, efiects, sudi as diffiraction patterns, screen 
masks, backdrops, colour palette "animation", conq)lex animated objects resistant to simple hidden- 
surfece removal tedmiques known to those skilled in Ae art and directed to hindering duplication. 

Further, the animation can take into account; 

1. Thwarting attempts at compression ofAe ID-Data entry screois. This can be achieved by 
30 having animation which has low visual entropy and having many graphical elements which are altered 
fixmi frame to fiame in a manner which is highly disceniible to die huma^ Apart fitxm being 

difficult to replicate, complex 3D con^uter imagery having low entropy or redundancy will require 
laige amounts of storage space for a rogue attenqn at duplicaticxi based m recording the screen output 
and therefore be more readily discernible to the user should this form of attack be mounted. 

35 2. The animation is foitfier preferably designed to tfiwait a successfol rq>lay attack whidi is 

based on providing only a subset (hmited number of frames) of the screen animadon to a viewer. This 
can be adiieved, for exanq>le, by the inclusicn of several animated q>heres which "bounce" around the 
screen and change colours in a manner that is recognisable to the viewing user but which is not readily 
repeatable. A replay of only a subset of die screen animations to the viewer will be highly evidmt in 
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this case vibm, upon looping, Ae user is alerted to a problm v/h&x the ^nimfltiCTi "skips" or "junqis" 
and does not operate in a previously smoodi manner. This makes it difScuk for a rogue spoof 
pipgram to copy the animatioo wiAout including all parts of it. 

3. Most importantly, the graphics presented can be customised to the issput data entered. For 
exan^le, tfie information entered by a user can be rendered and/or animated by tfie secure ID-Data 
entry prpgram code 31 CFig.3). As an example, in an ID-Data entry program, ^en a user types in 
tiieir user name, the animation can be created letter by letter. For exanq>le, ^en ^ing in the user 
name "CHRIS" each letter could be rendered difierently depending on those diaracters previously 
typed. For example, the letter "I" migjit appear as a laige "barbersi>ole" vvhicfa spirals and changes 
colour, q>eed, size, and/or position and is sUgfitly transparent, thereby aUovm 
wfaidi is a backdrop to the diaracter to be discerned diroug^ the cfaaractOT For exanq)le, indie 
above example, the letter "I" would only appear as the specific animated barbers pole that is does if 
the previous letters entered were "C", "H", and "R" respectively. 

The utilisation of a unique sequence of animation based on a user's iiq>ut of information 
1 S sensitive data increases die difficulty of creating any "spoof program" attadc on die application 3 0 . 
This is eq>ecially the case since the emcutable code of apphcation 30 is preferably in an encrypted 
foim. The use of animation being particular to the order in nnhich chanjc^y^ ^re wifemt is 
particularly advantageous as the coR9>utational complexity of replication is substantially increased. 

A similarly effective animation technique is to produce only one graphical object after entry of 
20 each portion of ID-Data, sudi as a computer-generated human^s fiice, but have die features of said 
fece be determined by a haA or cryptographic function based iq)on the users inp Fwexample, 
after entry of the ID-Data **CHRIS" (in this exan5>le, the individual characters may not, themselves, 
be based on the abovementiOTied geieration procedure) , a teoiage girl's fece witfi long blonde hair 
and blue eyes may be displayed. If die "S" was instead a 'T)'\ die fece would be entirely different. 
25 The ID-Data used for producing an object for display should not be ID-Data which is designed not to 
zppm on-screen vriien entered (eg: a password), since die display of a correq)onding object would 
give a rogue infonnation on v^cfa to base guesses of the secret ID-Data. 



30 



By utilising cryptc^nqihy or having complex formulas to determine die sequencing of 
animation, the rogue programming die corresponding spoof program shall have to cradc the 
cryptographic scheme in order to get the selection of character animation correct for any generalised 
attadc. b the abovementioned example, a rogue will have to detennine die algoridun for producing the 
fece, since human beings are adept at recognising feces, and will immediately notice if the fece 
displayed CD die screen is incorrect. Sudi a technique allows for a madiematicaliy secure, visual 
method to guarantee the authenticity of the software whidi generates the screen feedback. Tbe user of 
35 die software is instructed to note their own particular animaticxi sequence and to immediately 

discontinuing utilisation of the application 30 should that sequence ever diange. The user may also be 
instructed to contact a trusted person, such as die supplier or operator of die apphcation to confirm 
that the animation sequence they witness is the authentic sequence mtended by said suppUer. 



Further, the particular ammation presented for a particular applicatiai 30 can be ferther 
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customised for each applicatioa so as to be distinct (sudi as by the incoipoiation of the q>plicatioDS 
name as pan of the animated image). 

Fuitfaer hindrance for a rogue programmer can be created by hand coding porticns of ifae 
animation in assembly language so as to generate the maximum possible con?)lexity and interaction in 
i the animation widi the hig^kvd of detail for individual woi^^ Ibis foidierraises 

a hurdle allowing for the easier detection of n^e spoof prognuns 22 
more convenient, hi^er level language (such as C or C-H-) vMch will also operate at a different 
speed, the user being instnicted to look for q)eed dififerences. 

Further, a nimat ed scene timing can be utilised, providing anti-looping and frame removal 
detection is still catered for. Ibe animated scene timing allows for a user to detect unexpected 
irregularities in a frequently presented animated interfiice. By including in the animation some 
deliberate r^:ulanty (such as Ae rhythmic convergence of some parts of the animation in one 
particular spot), a rpgue prpgramming a spoof program shall also have to <hq)licate the preferably 
conq)lex timing events necessary to accon^lidi diis convergence. The regular nature of the scene 
IS timing should behi^ enou^ so that the user e3q>ects to see certain events and thereby making it 
difficult for a f^gue q>oof program to copy the animation widiout including all parts of it. 

Preferably, where possible, all ID-Data is immediately enciypted vAich makes recovery of the 
ID-Data by a rogue through analysis of the ccm^uter program memory difficult. Preferably, public- 
key cryptc^raphic methods (eg: Elliptic-curve, RS A or Diffie-Helhnan cryptography) should be used 
making it in^ossible to reverse engineer die cryptographic code to decrypt any sensitive informatiOT 
AouM it be stolen in its encrypted form. Prohibiting all or most interrtq>ts vAen data is to be entered 
and encrypting or hashmg the sensitive information immediately so that it is only stored partially, or in 
an enciypted form, before re-enabling intemqyts is one exaniple of achieving this objective. 

As a further akemative, analysis of a user's personal diaractmstics can be included as part of 
25 theinterfoce. Ihis can inctadeattonpts at lecognitknofa user's typing style (duration 

delays between subsequent keys, didce of redundant keys, mouse usage characteristics, etc) or by 
additional audientication techniques, inchiding smartcards, biometric inputs such as finger prints 
detectors etc. 



20 



30 



Further, the graphical animation routines can be "watermarked** by die secure ID-Data entry 
program code in diat ludden** information may be incorporated into the scene (for example **salted- 
checksums**) to aUow careful analysis of die output of secure ID-Data entry program code 3 1 to 
distinguish between original graphics animation and counterfeit animation. For example, die hidden 
information may be encoded in the least-significant bit of pixel data at selected k>cations of the 
animatioo. 

3S The user detenninable sequence of animation can also extend to the provided audio animatioo. 

For example, audio and other feedback tedmk|ues including music and speaking tones can be played 
in response to particular key stroke ccmibinatioos. By utilising difierent voices and/or t<Hies and/or 
volumes and pitches for each keystrdce or combination, the security of the ^plication 30 can, once 
again, be substantially increased. The change in voice intonation will be readily "learnt** by a user and 
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thereby fuiAer inhibit a rogue's ability to dq)licate the same sequence of sounds or voices. Of course, 
the encoding of the voice system should be in an encrypted fonn . 

Fuitiier, upon detecting any attempt to subvert the secure ID-Data entry program code 3 1 (eg: 
subsequent to detecting tanq)ering), a notification message is preferably sent to a prosecuting body or 
S the like vvheie the aqiplication 30 is currently, or later becomes connected to a network such as the 
fatemet, or by other means (eg: via Modem or by including coded tnfixnnation in public or other files). 

For applicatioQ programs 30 requiring activation by a host program executed en a difRsrent 
con^uter, a secure means ofactivation can be incorporated into the cUent^^ Thehost 
and cUent interconmunication can issue challenge and response code authentication and verification 
10 utilising cryptographic systems sudi as pubho-key enciypticn and/or odier standard means of 

overcoming data replay attadcs and other duieats designed to trick the secure cUent iq>pUcation 30 into 
activation. 

b would be appreciated by a person skilled in the art tiiat the process of coding any data oitry 
process utilising tiiese techniques, togedierwidi additional techniques to protect against recording, and 
IS eavesdropping, and executable pratacdon tedmiques may be necessary to iiq>rove the security of the 
inter&ce. Additionally, executable encryption, additional authentication, and odier methods are 
desirable in producing the protected executable. 

It would be appreciated by a person skilled in the art that numerous combinations, variations 
and/or modifications may be made to the present invention as described without departing fiomthe 
20 spirit or scope of the invention as broadly described. The present embodiments are, tfierefere, to be 
considered in all respects to be illustrative and not restrictive. 

Smnmarv of the Applicator fof an imnrovcd process of security as hereinbefore described) 

The preferred embodiment of die present inventions' method (hereinbefore described as the 
"^Ucator") by ^ich to apply an improved process of security (as hereinbefore described) will now 
25 be described with reference to the accompanying drawings. 

Referring now to Fig.7, there is shown a standard format utilised for storing executables on 
disk, often occurring in the art, and in paiticular in conjunction with programs run <xi the above 
mentioned operating systons. The standard executable 16 normally comprises a header sectioi 71, a 
code seOion 72, and a data section 73. The header section 71 normally stores a standard set of 
30 information required by the ocmpuber operating system 1 7 (Fig. 1) for running of the executable 16. 
This can include relocation data, code size etc. Hie code section 72 is normally provided for storing 
the ''algorithmic'* portion of the code. The data section 73 normally is utilised to store the data, sudi 
as constants, or overlays 92 utiUsed by thecode sectkn 72. 

Turning now to Fig.6, the preferred embodiment of an applicator program 60 is shown which 
35 takes as its input the executable program 16 and performs an obfoscating step 61, a ciphering step 62 
and an anti-key press and autfaenticatian step 63 (described hereafter) whidi perftnm various 
transformations on the executable program 16 to produce a new executable program 30. 
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nieoWuscatingstepdl modifies the header 71 (Fig. 7) of the executable 16inadditiaiito 
inserting loading code ixdiicfawiU be descriM Ibecqsh^ step 62 encrypts the existing 

executable 16 and calculates check data (eg: a diecksum) for the encrypted executable. Hie anti-key 
press and audienticatioo step 63 replaces various insecure system calls with safe equivalent code and 
S preferably inserts code to gra|diicaUy represent the integrity of said executable prpgram. 

Hie nevriy formed executable 30 (ttew.exe) can be tfien stored on disk and tfie applicator 
program 60 con^ykled, the new executable 30 lepbcing the old executable program 16. 

When it is desired to run the replacement executable program 30, the replaced executable 30 
(new.eKe) executes the obfescating code, previously insetted by ap^^ The obfoscating code 

1 0 initialiy deciypts tiie executable program and validates tfie stored dieck-data before re-executing the 
decrypted executable. 

Hie foregoing descrq)tion of the preferred embodiment has been in general terms and it will be 
understood by those skilled in theait diatthe invention has general application to many difiereot 
operating systems, including MS-DOS, Apple Macintosh OS, OS^, Uiix etc. 

15 Tlie most axnmoQ operating system utilised today is the MS-DOS operating systm This 

operating system is designed to nm on INTEL x86 microprocessors and inchides a large number of 
historical "quirks** whidi give rise to greater complexity than would peihaps be otherwise required 
vrtien designing a new operating system from **scratdi**. For illustrative purposes, diere will now be 
presented a specific mbodiment of the preferred embodiment designed to operate under the MS-DOS 

20 operating system. Ihfoxtunately, the exaxnple is quite conqolex as it operates in the fiamework of the 
MS-DOS operating system. Therefore, it is assumed that the reader is femiliar with systems 
programming under the MS-DOS operating system. For an extoisive explanation of the inner 
workings ofthe MS-DOS operating syst^ reference is made to standard texts in tiiis field. For 
exanq>le, reference is made to **PC htem** by Midiad Tisdier, pubUshed in 1994 by Abacus, 5370 

25 S2nd Street, S.E. Grand Rapuls, MI 49S12. A second usefol text in this matter is Architecture 
and Assembly Language** by Barry Cauler, publiAed 1993 by Carda Prints, 22 Regatta Drive, 
E4gewater, WA 6027, Australia. 

Hie specific onbodiment of the present invention will be described widi reference to altering an 
**EXE** executable program under DOS in accordance widi the princq>les of &e present invention. 

30 Referring now to Fig .9, there is shown the structure 90 of an executable ** .EXE** program in 

MS-DOS as normally stored on disk. This structure is closely related to the structure 16 of Fig. 7 
which illustrates the more general case. The structure 90 includes a header 71 , otherwise known in 
MS-DOS terminology as tfie program segment prefix (PSP). This is normally followed by a 
relocation table 91 vrfiich contains a list of pointers to variables widiin a code area 72 whidi must be 

35 iQMiated with an ofito address when tiie program is loaded into a p Hie 

operation of Ae relocation table is well known to those skilled in the art of systems programming. The 
next portion of structure 90 is the code area 72 vriiidi contains the machine instructions for operation 
on the x86 microprocessor. This is followed by a program data area 73 which contains die data for 
codearea72. FinaUy, there may exist a number ofoverlays 92 which contain code v^di can be 
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utilised in a known manner. 

Referring now to Fig. 8, tliere is shown the structure of EXE file header 71 in more detail. Hie 
table of Fig.8 being repnxhiced from page 750 of the above mentioned Tisdier reference. It should be 
noted that the header 71 includes a number of fields including, for example, a pointar 81 to the start of 
tiie code 72 (Fig. 7) and a pointer 82 to the relocation table 91 (Fig.9). 

h the specific embodiment, the q>phcator program 60 (Fig. 6) proceeds by means of the 
following stq>s: 

(1) The executable prognun 16 is opened fiv reading and a decenruiiation riiade of 

(2) Ihe header 71 (Fig.9) of executable program 16 is then read in and a copy is stored within 
appUcator program 60. A copy oftiie header 71 is written out to form part 101 ofthenew.exefile30 
as illustrated in Fig. 10. 

(3) Next, from the fields 81, 82 of the header 71 (Fig. 8) a determination is made of the size of 
relocation table 91 of executable program 16. 

(4) Next, determinaticn is made of the size of the executable code 72 and data portions 73 . 

(5) The relocation table 91 is then read into the memory of the appUcator program 60. As 
noted previously, the relocation table 9 1 consists of a series of the pointers to positions within code 
segment 72 wfaidi are required to be updated ^en loadirig the program, exe file into memory for 
execution. The relocation table is sorted 93 by address before being written out to the new.exe 
executable file at positicm 102. 

(6) As noted previously, the relocation table 91 consists of a series of pointers into code area 
72. A determination is made of die size of a code, known as the '^netsafe 1" code 104, the contoits of 
this code will be described hereinafter. Next, a search is omducted of die sorted relocation table 102 
to find an area between two consecutive poirrters within code section 72 vMch is of greater magnitude 
thandie size ofnetsafol code 104. This area 94, designated part B in Fig.9 is located. Ifdiiscode 
portioned 94 cannot be located the applicator program 60 exists widi an error condition . 

VpoA finding code portion 94, the code portion 95, also denoted part A is encrypted and copied 
across to form new code portion 1 03 . Code portion 94 is then encrypted and copied to an area 1 05 of 
new.exe 30. The netsafe 1 code 104 is then inserted by applicator 60. Code portion 96, also denoted 
part C is ^crypted and copied across to form code portion 106. Data portion 73 and overlay portion 
92 are copied into new.exe 30 as shown. A second portion of obfuscating code, doioted **netsafe 2" 
107, the contents of ^di will be described hereinafter, is then inserted after overlays 92 and before 
code portion part B 105. 

(7) The header 101 is then updated to reflect the altered layout ofnew.exe executable 30. 
Additionally, the initial address 109 of execution stored in header 101 is altered to be the start of 
netsafe 1 portion 104. 

(8) As mentioned before, code portions 103, 106 and 105 are subjected to encryption or 
encq>herment in accordance with step 62 of Fig.6. The encryption scheme utilised can be subjected to 
substantial variation. In diis embodiment, the DES standard encryption scheme was utiUsed. Ihis 
scheme relies on a fifty-six bit key for encryption and decryptim and is weO known in tibe art. 
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OQceacrypted,ftisnecessaiytostQrefliedecrj^ioQ Anumber 
ofdifiermtmediods can be utilised to sto The ptefeired method is to spread pcxrtioiis of Ae 

key to difiereot positions wiAin die executable 30. For example, bits of the key can be stored widiin 
dienetsafelcodel04andnetsafe2codel07. Additionally, bits of the key can be stored widiin 
header poition 101. Also, it is envisaged that bits ofdie key can be stored in die condition codes 
yMA are a consequence of execution of various instructions widiin netsafe I area 104 and netsaie 2 
area 107 and/or die q>eiatiiigsystm 17 (Fig.5),widifteoveiaUie 
later extracted using a predetmnined algorithm. 

(9) Hie next step is to patdi the address of die start of code area 72 and netsafe 2 code area 
107 into die requtied locations widiin netsaie 1 area 104. 

Thenelsafb 1 area is dienwrittentothefilecontainingnew.exe executable 30. 

(10) The area 106 is then encrypted as afor OTien ti oned and written to die executable 30 
foUowed by overlays 92 and encrypted netsafe 2 code poiticn 107. 

(11) As win becouK apparent hereinafter, iqxxi execution ofnew.exe executable 

area 107 is responsible for k>ading code portion 105 over the top of netsafe 1 area 104. Therefore, it 
is necessary to write the relevant addresses of die start and end of code portion 94 to the required 
position widiin n^fe 2 area 107. 

(12) As win be described hereinafter, netsafe 2 area 107 is also responsible for decrypting die 
encrypted portions of codes 103, 104, 105, 106, and 107 and hence die netsafe 2 area 107 must also 
store this combined code size for later use on decrypticxi . 

Finany, a overaU diedcsum for new.exe 30 is calculated and stored at die end of die file at 
position 108. This diecksum is later used to verify the decryption procedures' success and to prevent 
die execution of ''scrambled'* code, which would be die result ifnew.exe 30 were tampered widi. 

As win be further described herrinafier, netsafe code areas 104 and 107 contain code to decrypt 
die encrypted areas of the new.exe 30, to repatch code portion 105 bade to its original position, and to 
rq)lace potentiaUy insecure routines or easily spoofed screens normaUy utilised by the ^Ucation (%: 
unsafe keyboard drivers) with an ahemative safe form of routine. 

l^xn execution of the new.exe executable 30, the executable starts at the start of netsafe 1 , area 
104 (Fig. 1 1), as this address has been previously patched into position 109 (fig. 10) of header 101 
(Fig. 10). The netsafe 1 area 104 dien performs die fonowing steps (Al) to (AlO): 

(Al) The first step is to disable aU the interrupts apart from diose necessary for c<xitinued 
operation of the con^uter device 18 (Fig. 1) (for exan^le, memory refresh caimot be disabled). The 
disabling of interrupts includes the disabling of the keyboard interrupt in order to stop amateur **code 
snoopers** from determining die operation ofdie code area 104. 
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(A2) The next stq) is to iiiterrogate die caUingaivironmemofthe operating system stack to 
ensure that die program new.exe was not caUed by a debugging program which is tracing the 
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operation ofnew.exe. Additioiially, the data variables necessary jfbr operation of netsafe 1 code area 
104 aiedefinedtobeon the operating system stack (Refer Address OEH and lOHmF Hiis 
stack will dbiange unexpectedly when in a code snoq>ing or debugging environmoit and will cause the 
debugger to ciadi, thereby stopping a it fiom foUowiiigtiie operatioD of new.exe executable 30. 

(A4) The mter rup t trap addresses are then altered m a two stage process . The first stage resets 
a first pan of tfie SEGiOlT address ibrnm and occurs at this point wi^ 
later time as will be fimher described bminbetow. By staging the alteration of ioterrupt trap 
addresses, any code snooper wiU be fittlher anfiised as said trap add^^ 

(A5) Any iqmt fiom the kqdKard is fiiitfier disabled by infi>nni^ 
system to ignore any received keys . 

(A6) The second stage of the revectoring of the normal debugging interrupts is th^ applied so 
that the normal debugging interrupts can be used by the decryption code, to be described hereinafter, 
thereby making debugging almost inqKKsible. 

(AT) A dtodc is then made to ensure that the abow processes have been successful in tl^ 
debugger interrupts do not point to any debuggers, the keyboard is stiU disabledandtfie operating 
system has disabled the acceptance of keys fimthe keyboard. 

(A8) The key for decryption is dioi reconstructed utiUsing the reverse process to that utilised in 
storing the information located in the key. 

(A9) Turning now to Fig. 1 1, there is shown the standard format of the executable new.exe 30 
when executing in memory. As will be well known to those skilled in the art, an executing program 
underlie MS-DOS system will include a stadc 1 U and work space 1 12. A mraiory aUocation 
(Malloc) call is then done to set aside an area 113 for die loading in of the netsafe 2 code 1 07 of 
Fig. 10. The disk copy of new.exe 30 (having the fonnat shown in Fig. 10) is 4en opened by the 
netsafe 1 code 115 and an encrypted copy of netsafe 2 code 107 (Fig. 10) is then loaded in from &e 
disk file, decrypted and stored in memory area 1 13. The relocatable pointers of the code contained 
widiin the netsafe 2 code 1 1 3 are then iqxiated to reflect the position of the executable in monory . 

(AlO) Control is then passed to netsafe 2 code 113. 

The code area netsafe 2, 113 then performs the following steps (Bl) to (B4): 

(Bl) Hie porticHi of code of the disk copy denoted part B, 105 (Fig. 10) is read in from disk in 
an encrypted format and written over the old netsafe 1 code 115. 

(B2) As v^iO be fiutfaer described hereinafter, the rietsafe 2 area 113 includes a number of 
keyboard routines ^Uch are preferably stored in an encrypted ft>rmat. Hterefore, the next step is to 
applytfie decryption to any ofthe encrypted areas ofnetsafe 2 code area 113. After decryption, die 
netsafe 2 area U 3 is diecksuinmed and the result is tested against a prestored checksum to ensure the 
integrity of netsafe 2 area 1 13. 



wo 97/04394 I 




PCT/AU96/00440 



(B3) The disk copy cf the new.exe is then again read in and diecked against prestored dieck 
data to ensure that it has not been changed. Additionally, an attwnpt is made to read past the end of 
file of the disk copy of new.exe 30 (F^. 10) to ensure that no extension {eg: viral) has occurred. 

(B4) IheenoryptedpoitioQsoftheniemoiy copy (Fig. H) ofnew.exe are d^ 
S utilising the key and once decrypted, die decrypted poitions are again cfaedcad and tested against 
predetennined data. 

Ihe next stq> in execution of the netsafe 2 code 113, is to rq)laoe insecure (eg: keytx>ard) 
system routines a more secure mediod. Refming nowto Fig.l2, there is shown the current state 
ofdienew.exe executable in memory. The inseitionofdie more secure system routines tfien proceeds 
10 in accordance widi the fi)llowing steps (CI) to (CS): 

(CI) Firstly, a second memory allocation is done to set aside an area 51 (Fig. 13) for the 
storing of the secure hardware routines (eg: keyboard). These routines are dien copied from dieir area 
widiin netsafe 2 code 1 13 to4ie memory area 51. 

(C2) Next, die ID-Data entiynratitteswhidi are normally activated by d^ 131 
1 5 when dealing widi ID-Data input are altered such that, nrther tihan pointing to corresponding areas of 
the MS-DOS operating system 17, they pdnt to die corresponding secure area SI. Ihese interrupts 
include intemipt 9 which occurs when a key is pressed on a keyboard, interrupt 29h which reads a key 
and intemipt Ifb which tests for the presence of a key. 

(C3) The executable 30 (Fig. 13) is th^ ready for execution and the registers are initialised, die 
20 memory area 1 13 deallocated & control passes to the original stait address of executable program 16. 

(C4) It will be evident, diat ^en necuting, all keyboard calls (or odier ID*Data entry calls, if 
odierdian keyboard) will be passed to keyboard (or odier) routines 51 widi die keyboard hardware 
being interrogated direcdy by keyboard routines 5 1 to return information to the calUng program. 
Keyboard routines 5 1 include a copy of the correct intemipt vector addresses for each keyboard 
25 routine and each time diey are called, a diedc is made of the interrupt table to ensure that it has not 
been zlterod. Preferebly, keyboard routines 5 1 protect the kej^rd hardware by issuing controller 
reset or similar omimands to flush the keyboard data out of the drcuitry after said data is retrieved to 
prevent hardware eavesdropping, or routines 51 utilise the protected mechanisms of the central 
processor to protect saki hardware from eavesdroppiiig. 

30 (C5) When the executable 30 terminates, interrupt 21h (an MS-DOS standard) is called. This 

interrupt is also revectoredto a corre^ondingarea of routines 51. The terminatkm code of keyboard 
routniearea51 restores die ooneaintertupt pointers in interrupt table 131 to point to die MS-DOS 
operating 53^stem 1 7, and clears the no-longer*iieeded program and data from memory before returning 
to die DOS opoating system by calling the real mterrupt 21. 
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The foregoing describes only one particular embodiment of the present invention, particularly to 
the operation oftheMS4>OS operating system. It will be evident to those skilled in the art, that the 
princfles outlined in the particular oibodiment can be equally applied to odier operatmg systems in 
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accordance with the objects of the present iavention. Further, modificatioas, obvious to those skilled 
in the ait» can be made Aimto widiout depaiting from die scope of the invention. 

EXPLANATION AND PURPOSE OF CLAIMS 

Claims 1,2, and 3 are indq)endent. Hie invention in claim 1 covers any hi^ security software 
5 protecting ID-Data by utilising and-spytec^ques, and tanQ>er-protectm Claim 2 is for a 

method ofproducinghi^ security software, such as, but not lin^ ClaimSisfor 
a new process of gnqihically representing the authenticity of hi^ security software, such as, but not 
limited to, that in claim 1 or produced by claim. 2. 

Claims 4, S, 6, 7, 8, and 9 add preferred conq>cnents to the hig|i-security enforcing functions of 
10 the sofbware in claim 1. Claim 10 adds a tracing-prevention preferred component to claim. 9 

Claims 11,12, 13, 14, IS, 16, SO, and S3 add preferred conq)oneQts to the security-applicator 
mediodofclaim2. 

Claims 17 to 49 inclusive and clainis SI &S2 outlines the q>ecific area of protection t^ 
invention affords a computer program acting as a user interfiioeC^: IIMlata entiy screen). 
1 S ^>ecifically, they specifies how this invention applies in the areas of protecbng an interface aganist 
counterfeiting (i.e.: hanq)ering the possibility that a fiike copy of said interfece can be successfuUy 
presented to a user to fool said user into ottering information into the feke interfece), and protecting 
an interface against malicious (or otherwise) tampering, examination, emulation, and eavesdrq)ping. 
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CLAIMS 



1. 



A high security executable progiain cmq)rismg: 
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(a) puipose-writtoi computer input routines widiin or accessed by software on a computer system for 
tiie entry of ID^Data (as hereinbefore defined), and 

(b) anti-spy tednuciues (as hereinbefeire defined) widun said input loutines v^di prevent or hanqwr 
eavesdropping (as he rein be for e defined) oo said ID-Data, and 

(c) tanq>^«delectioa tedmiques (as herembefiHe defined) widiin or accessed by said software to detect 
tampering (as hereinbefim defined) and techniques which, upon detection of tampering, either 
disallow the subsequent entry of ID<J)ata into said input routines, or whidi invalidate said ID-Data 
in onler to disallow current and subsequent access to that whidi said ID-D 

oberwise aUowed 

2. A mediod of altering an original executable program to fonn an altered executable 
program having increased security, said method cm^rising the stq>s of 

(a) inserting obfiiscating code into a first number of predetennined areas of 
and 

(b) encrypting portions of said exBcutaUe pn^giam for later decr^ 

such ftiat, iq>on execution of said altered executable prpgram, said execution includes the stq)s of 

(c) decrypting the altered executable program; and 

(d) restoring said altered executable program to said original executable program. 

3. A method of providing for a secure entry of input inftirmation in a computer system 



(a) activating a visual di^lay or animation and/or audio feedback Qiereinafter called an audiovisual 
con^onent) as part of said secure entry of input infimtution so as to hamper emulation of said 
secure entry process; and 

(b) audioAisual conq>onent foedbadc of two or mm of 

(c) all or part of said ioput inftmnation; 

(d) all or part of information based upon some transfomurtion of said input information; 

(e) all or part of some transformati<» of all or part of the software comprising said audio/visual 
conq)onent and/or the computer operating system upon whidi said audioAisual componoit 
operates. 

4. A mediod as claimed in claim 1 additionally including the replacanent of code which 
is vuherable to eavesdropping (as hereinbefine defined) widi equivalent code vdiich ronoves said 
vutaerability; said equivalent code vMth communicates directly widi the hardware of the computer 
while disabling system interrupts or odier fimctions whidi would permit rogue software (as 
hereinbefore defined) to eavesdrop. 

5. A method as claimed in daim 1 additionally including one or more automatic 
disassembly (as hereinbefore defined) tedmiques of (a) obfiiscating inserts (as hereinbefore defined), 
(b) dummy instructions (as h erei nbefore defined), or (c) executable encryption (as hereinbefore 
defined). 
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6. A method as claimed in daim 1 addidooallyinchiding code to detect tanq)ering (as 
hereinbefore defined) by re-reading its own external-image or its internal memory image and 



# 
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oomparing said image or a calculated diedc of said image widi pre-calculated checIcKiata or known 
idendcai equivalenls. 

7. A mediod as claimed in claim 1 additionally including code to aittomaticaUy memory- 
scan to said software one or more times before or duriiig execute 

5 tanqpering (as hereinbefore defined). 

8. A mediod as claimed in claim 1 addittooaUyinduditig code to store or communicate 
details of detected tampering fyr later examinatiai, said details including all or pait of said tan^red 
software, and/or other infonnatian available to said tampered software from said computer system . 

9. A method as claimed in claim 1 additionally including code to prevent, or detect and 
10 subsequently prevent tracing, or mislead code debuggers and execution tracing by utilising d^H^ger 

trap fticilities for the normal operation of said security-eohanced software, and/or monitoring system 
timers or including timing-sensitive instnictions or monitoring CPU stadc contents or monitoring 
system bufifas to detect the activity of code debuggers, and/or disablmg fiidlities including die 
keyboaid, serial pc»ts» prints potts, moose, screen or system inteinipts in order to hanger code 
1 5 debuggers, and/or testing that the disabled status is still true of said fiidlities to detect code 
debuggers, and/or i itiKsing system internipts which woddcwdinarily be used by a 
the custom purposes of said security-enhanced software, and/or utilising CPU instruction caches 
together with self-modifying code to mislead code ddmggers, and/or scanning or interrogating the 
operatmg system or executabi&-load-process to detect code debugger instnicdcHis or enviromients. 

20 10. A method as claimed in claim 9 additionally including a process or mukqile processes 

whidi are resident or diild processes of said security-enhanced software which execute during 
system interrupts or after the parent process has terminated in ord^ to hanq)er tracing. 



11. A mediod as claimed in claim 2 viierein said obfuscating code includes r^lacement 
25 codes for insecure system routines and said execution fiuther includes ihe step of: (e) replacing the 

execution of said insecure system routines widi said replacemait codes. 

12. A method as claimed in claim 2 wherein said steps (c) and (d) occur v^e 
simultaneously substantially disabling eavesdropping on the operation of said steps (c) and (d) by 
any rogue program. 

30 13 . A method as claimed in claim 2 wherein said step (a) includes inserting a portion of 

said obfiiscating code into die code area of said original executable program. 

14. A method as claimed in claim 1 1 wherein said step (e) includes altering porticms of 
an interrupt vector table to point to said replac^nent codes. 

15. A method as claimed in claim 2 herein said step (b) includes the storing of a 
3S decryption key in a plurality of predetermined areas of said altered executable program. 

16. A method as daimed in claim IS wherein said predetermined areas inchide the 
oonditioD codes of predetermined instructions of said altered executable program. 
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17. A medtod as claimed in claim 3 herein said audiovisual compoaM has repeatable 
clianicterisdcs during subsequent invocations of said entry process, such diat said audiovisual 
componoit on each invocation of said entry process has a piedetemiined resemblance to the 
audiovisual conq>onent of all odi^ invocations of said entry process. 

S 1 8. A method as claimed in claim 3 iwherein said audiovisual conqKXient is varied in 

accordance with the infermation entered . 

19. A method as claimed in claim 3 wherein said audiovisual component comprises 
moving parts and/or includes 2.S-dimensional animation or 3-diniensianal animation. 

20. A mediod as claimed in claim 3 w herein said audiovisual conqxxient includes a 
10 representation of said input information. 

21. A method as claimed in claim 20 wherein said input information representation 
comprises (a) display of a single graphical dbjed and/or (b) production of a single audio-feedback 
sequence, after the entry of all or part of said input information. 

22. A method as claimed in claim 20 vtdierein said input information representation 
1 S includes animation of input characters and/or audible or other foedbadc determined by input 

characters. 

23 . A mediod as claimed in claim 22 v*erein the rq)resentaticm of said input characters 
varies for eadi character based on the result of a predetermined transformation of the preceding 
imputed characters. 

^0 24. A method as claimed in claim 23 wherdn said transformation utiUses cryptographic 

or hashing methods. 

25. A mediod as claimed in claim 3 wherein the ease by which feithful rq)licaticHi of said 
audiovisual c(Hiq>on^ is substantially reduced by inclusicxi in said audiovisual componoit die 
techniques of on screen shadow rendering and/or spot or flood scene fi^iting efifects and/or scene or 

25 object diading and/or transparent or translucent objects and/or Ainy, reflective, or mirrored objects 
and/or real-time animation rougldy obeying real world gravitational efifects and/or single-image- 
random-dot-stereogram bitm^s or backdrops and/or partial scene masking effects and/or foil or 
partial scene distortion or diffraction effects and/or animated objects designed to resist simple 
hidden-surface removal tedmiques and/or animated bitmaps and/or audible edio effects and/or 

30 differing audio voice efiects and/or differing audio volume and/or difibring audio tones or pitches. 

26. A method as claimed in claim 3 herein said audiovisual conponent is immediately 
recognisable to human beings and includes information which identifies to the user the application to 
whidi said audiovisual conq)cment belcHigs. 

27. A method as claimed in claim 3 wherein the ease by whidi fiiithful replication of said 
35 audiovisual component is foither reduced by inclusion in said audiovisual components animaticm 

object movement timing such that at near regular and frequent intervals regularities occur which are 
obviously recognisable to users of said entry process. 

28. A method as claimed in claim 3 wherein said entry process including said audiovisual 
component utilises a substantial portion of the conqputational resources of said computer system. 
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29. A method as claimed in claim 3 vdierein said entry process code responsible for said 
audiovisual compoDent is coded in the assembly language of tiie computer system. 

30. A method as claimed in claim 3 wherein recording said audiovisual catapcmnt by 
said computer system is disabled. 

5 31. AnMdiodasclaimedinclaim3¥dierein(a)tfaefi»ilitytosuspendorswap-^ 

entry process is either disabled, or(b)immediately upon suspension request, said entry process is 
protected against subsequent examination by encryption or by tennination and removal from 
memory of said entry process, or (c) vAtere the fitcility to allow tfie central processor or processors 
of said computer system to execute code other dian die code of; or the code necessary for said oitry 
10 process is eidier disabled or else said entry process is protected against examination. 

32. A mediod as claimed in claim 3 vdierein said entry process haitq>ers simple recording 
by utilising die maximum practicable use of audiovisual firamerate, and/or audiovisual resolution, 
and/or screen colours, and/or audiovisual design in said audiovisual component on said coRq)uter 
system. 

IS 33 . A method as claimed in claim 3 v^erein said entry process hanq}ers the conq)ression 

of lecmded output from said audiovisual oompcnent by utilising high audiovisual entropy and/or by 
the inclusion of random or other noise in said audiovisual compoient. 

34. A method as claimed in daim 3 wdierein said audiovisual conqionent includes 
continuous output sudi that the looping of only a subset of said output shall not rq;>roduce a cq>y 

20 largely indistinguishable to said audiovisual componoit. 

35. A method as claimed in claim 1 or daim 3 vrfierein said ID-Data or said input 
information is encrypted vriAx some cryptc>grsq)liic process or hashed immediately iq>on entry and a 
plain text equivalent is not stored by said cm^uter system. 

36. A method as claimed in claim 35 wherein disablement of one or more interrupt 
25 instructions (or equivalent CPU devices) is utilised to protect said cryptographic or said hash 

process of said ID-Data to handier the recovery of said ID-Data by processes other tfum said entry 
process. 

37. A mediod as claimed in claim 1 or claim 3 wherein said input routines or said secure 
entry process prevoits tfie re-vectoring of system interrupts in order to protect said ID-Data or said 

30 input infonnation from being stolen, by means of re^applying interrupt vector pointers one or more 
times and/or by means of examining interrupt assignmoits in order to perform a predetermined 
foncdon should die expected assignments be ahered. 

38. A method as claimed in claim 1 or claim 3 wherein in order to further authenticate 
and/or identify said user, additional aspects of said ID-Data or said input information are used 

35 including the duration of individual key presses and/or mouse buttcn presses and/or die delay 
between subsequent individual key presses or mouse button presses and/or the user's selection of 
particular keys when more dian one equivalent exists and/or the acceleration or velocity 
characteristics of mouse usage and/or where said input information includes mformation from odier 
sources including biometric and/or smartcard informati(m. 
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39. A mediod as claimed in claim 1 or claim 3 ind i enan said input loutiQes or said secure 
entry process authenticates itself using (a) executable code checksums of RAM or other images of its 
own executable code and/or data, (b) and/or coRq>aiisan of memory widi other stored copies of said 
executable code, (c) and/or decryption of said entry process (d) and/or detection of executable 
tampering by examination of die executable's environment (e) and/or ccnnparison of executable size 
with expected vahies (f) and/or by attempting to read past the end of the executable file to determine 
tiiat the size is correct; parts (a) tfarou^ (f) occurring either upon initial load or during or after 
executioD one or niore tiines or continually during execution. 

40. A meduxl as claimed in claim 1 or claim 3 ^Aierein said input routines or said secure 
entry process makes use of system mteriiqits to uKiiitor 

41. A method as claimed in claim 39 or claim 40 vAerein said input routines or said 
secure entry process inccMporates means by ^di to notify and/or transmit authentication failure 
details to a third person or process should said self authentication fiul. 

42. Ametfaodasdaiinedinclaim 1 orclaim3?vberBinsaidiq)utnmtinesor su 
entry process recoids a log of the usage and/or details of die user of said input roudnes or said 
secure entry process. 

43. A mediod as claimed in claim I or claim 3 i^rfierein said input routines or said secure 
entry process incorporates warnings within the ^cecutable image indicating that examinadon and/or 
tanq>ering is prohibited. 

44. A mediod as claimed in claim 3 herein saki audiovisual component contams 
watermaiic mformadon incorporated into the scene to allow close inspection of said audiovisual 
component to distinguish between the genuine process and a close replica. 

45. A mediod as claimed in claim 1 or claim 3 v^ierein said input routines or said secure 
entry process's loading and/or decryption routines are stored widiin the executable image in such a 
way as diey initially rq)lace odier entry process routines and upon successful decryptico and/or 
authentication, said other entry process routines are replaced. 

46. A method as claimed in claim 1 or claim 3 \^erein said input routines or said secure 
entry process hampers executable-code tracing tfarou^ control-flow dianges in debug environments 
or diroi^ disabling one or more system interrupts and/or disabling the keyboard and/or disabling 
die inouse or cdier iiiput devices aiul/or makmg use of d!ie prpgra^ 

of a debug environment and/or utilising ddnig htterrqits for program code operation and/or self- 
modification of executable code and/or examination of CPU flag rpgisters and/or verification of 
disabled intemqits still-<lisabled state and/or verification of disabled keyboards still-disabled state 
and/or loading additional executable code into mmory during execution. 

47. A mediod as claimed in claim 1 or claim 3 viierein the executable image of said input 
routines or said secure entry process includes obfuscating assembly language dummy operation 
codes or instruction prefixes inserted after one or more unconditional branches to hanger executable 
disassembly and/or deconq>ilation and/or reverse engineering. 
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48. A method as claimed in claim 1 or claim 3 wherein said input routines or said secure 
entry process is securely activated by its activation process and/or a host or server computer using a 
challenge/response activation protocol or using public or private key cryptographic methods. 

49. A method as claimed in claim 1 or claim 3 wherein said input routines or said secure 
5 entry process is stored outside of said computer system memory in encrypted form and/or where said 

entjy process employs techniques to hinder executable-code tracing and/or executable-code 
disassembly or disclosure or decompilation and/or executable-code tampering and/or executable- 
code hot-patching and/or reverse-engineering and/or pre, in, or post-execution executable-code 
recording, cop>iig, eavesdropping or retrieval and/or theft of said input information from keyboard 
10 hardware or software or drivers. 



50. A method as claimed in claim 2, 11, 12, 13, 14, 15, or 16 further comprising the 
insertion of one or more compaieats as claimed in claims 1, 4, 5, 6, 7, 8, 9, 10, or 51. 

51. A process as claimed in cUim 3, 17. 18, 19, 20, 21, 22, 23, 24, 25, 26. 27, 28. 29, 
1 5 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, or 49 further comprising 

protecting all or pan of said input routines or said secure entry process with zero or more 
components as claimed in claims 1, 4, 5. 6, 7, 8, 9, 10, or 0. 

52. A mediod for providing for the secure input of information into a computer s>'stem, or 
A hig^ security executable, substantially as hereinbefore described with reference to the 

20 aoconq)anymg drawings. 

53. A method of altering an original executable program to form an ahered executable 
pr^ram having increased security, substantially as hereinbefore described widi reference to the 
accompanying drawings. 
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